Spiga

Operation WhiteBerry

Operation WhiteBerry
Operation Whiteberry was developed in response to solve multiple problems
found within the wireless data transfer systems of Wireless Application Protocol
(WAP) and Blackberry Mobile Messaging system. Due to the security issues
surrounding these protocols, Operation Whiteberry is built upon to compete
against those industries that promote closed and proprietary solutions such as
RIM’s Blackberry. Instead of reviewing the complete project, the issue of security
that Operation Whiteberry promotes should better help to see the problems that
Blackberry faces.
It would be wise to understand the concept of end-to-end in RIM’s definition
instead of the logical definition. Operation W hiteberry is a project that defines
end-to-end as messaging from the point of origin to the point of destination or
from the blackberry to the intended email address. It is an important “point of
view” difference when related to security. RIM’s definition of end-to-end is
defined as messaging from the point of origin to the point of corporate email
redirection or from the blackberry device to the corporate mail system. Operation
Whiteberry also takes into account the proprietary or closed nature of its
messaging architecture, as this prevents the use of other independent or third
party security mechanisms.
All of these are important points. If the user or customer thinks that the
Blackberry wireless device provides security from the handheld to the receiver of
the email, they are only partially correct. Blackberry was built to be used by other
email servers, thus the security Blackberry provides is from handheld to the point
of decryption at the corporate mail system. After that, the email is sent using the
corporate mail system to the intended receiver, without any encryption, through the
Internet.
Last, Blackberry users have the ability to send electronic messages to other
blackberry users without connecting to the email system. This “direct-connect”
feature does not support full encryption and thus the information being sent and
received wirelessly is more easily accessible. It is important to remove this ability
or add a statement to your wireless policy revealing this information, and that no
confidential or corporate information be passed in this fashion.

During the terrorist attacks of September 11, 2001, while other lines of
communication failed, cell phones, pagers, telephones and such, Blackberry
didn’t. In fact, it has been getting rave reviews for its performance during those
horrible times. Remarkable stories have poured out from Blackberry users that
used the technology to stay in touch of loved ones, evacuate employees, or save
informational assets when no other source of communication was available.
On the day of those attacks, Congressman Robert Ney, R-Ohio used his
Blackberry to communicate with his assistants and family. As a result, he
ordered 435 Blackberry devices for each member of the House so those
representatives could communicate to their assistants and families during
emergencies. As an indirect result reports Congressman Ney, they have become
more productive throughout their normal workload.
If it’s good enough for the government, is it good enough for you? The answer
may be yes, if the correct policies and procedures are in place to maximize the
security benefits that Blackberry provides. The key to any secure environment,
wireless devices included, is to maximize the security features that each device
has available. Following these procedures and policies, as well as auditing users
to make sure these practices are followed should mitigate the risk that wireless
devices apply. Of course, not having these at all would be the optimal choice for
security, but that is not always possible. Wireless devices have an extremely far
distance to travel to be considered secure, but at least The Blackberry by
Research in Motion has been shown to be more secure than most wireless
devices currently in production.

BlackBerry Security

BlackBerry Security
Top 5 Blackberry Security Recommendations
1. Disable pin-to-pin messaging
2. Enable password-
protection on the device (strong passwords, expiration)
3. Disable the install
ation of 3rd party applications
4. Make user aware that data on the device is at risk (awareness)

5. Communicate the procedure for loss of device and emergency
shutdown of
service.

Blackberry mobile units are wireless email devices designed and produced by
Research in Motion Ltd (RIM).

Blackberry uses multi
ple different backbones to deliver the required information
packets over the wireless network. These backbones include, Microsoft’s
Exchange Server,
Lotus Notes Domino as well as Internet Only Email systems.
Microsoft Excha
nge Server




At the center of the backbone is RIM’s proprietary Desktop Manager. This
software package stores the configuration information and synchronizes the
handheld to a docking station connected through a serial connection to the users
main desktop computer. The synchronization process includes tasks, contacts,
calendar, email, time, as well as the initial encryption key that will be detailed out
later in this report. After the initial synchronization, the Blackberry will link up to
the Blackberry Enterprise server to monitor the user’s inbox for new mail,
compress and encrypt the message to deliver them to the Blackberry handheld
or decompress and decrypt messages originating from the handheld. These two
software packages then integrate into the Microsoft’s Exchange Server and
Outlook for email delivery to the recipient. The figure 1 illustration shows the
path that the information moves through the computer network for the Microsoft
Exchange Server backbone. Please keep in mind that this is a two way diagram,
the email starts at the mobile unit, moves through network to the blackberry
desktop and out again to the recipient.

Blackberry also uses two other server:
1)Lotus Domino Server
2)Internet Only Architecture Overview
Both of this architecture are similar to that of microsoft.

III. Blackberry Security Features
Wireless devices have now become an essential component to a corporate
executives or technical workers arsenal. Due to the information that is now being
transmitted and literally falling out of the sky, the term end-to-end security is no
longer a selling point, rather a requirement. Because of this increased security,
Research in Motion developed the Blackberry architecture to ensure multiple
different security objectives. These objectives include:
1. Protecting data on the handheld
2. Securing the wireless link
3. Minimal user impact
Information Security individuals have been inundated with wireless devices that
promise security outwardly, but have little to show for it. Security Issues that
surround the wireless device include eavesdropping, physical theft of equipment
and information, viruses, DoS attacks, and spoofing and hijacking. The following
list of security features will be sorted by RIM’s stated objectives and compared to
the issues and vulnerabilities surrounding wireless networks.

Passwords Targeted By Conficker

Passwords Targeted By Conficker

Acquiring the list of usernames from the targeted computer using NetUserEnum API, then attempting to log on to the targeted computer using the existing user accounts and one of the following passwords:

• [username]

• [username][username]

• [reverse_of_username]

• 00000

• 0000000

• 00000000

• 0987654321

• 11111

• 111111

• 1111111

• 11111111

• 123123

• 12321

• 123321

• 12345

• 123456

• 1234567

• 12345678

• 123456789

• 1234567890

• 1234abcd

• 1234qwer

• 123abc

• 123asd

• 123qwe

• 1q2w3e

• 22222

• 222222

• 2222222

• 22222222

• 33333

• 333333

• 3333333

• 33333333

• 44444

• 444444

• 4444444

• 44444444

• 54321

• 55555

• 555555

• 5555555

• 55555555

• 654321

• 66666

• 666666

• 6666666

• 66666666

• 7654321

• 77777

• 777777

• 7777777

• 77777777

• 87654321

• 88888

• 888888

• 8888888

• 88888888

• 987654321

• 99999

• 999999

• 9999999

• 99999999

• a1b2c3

• aaaaa

• abc123

• academia

• access

• account

• Admin

• admin

• admin1

• admin12

• admin123

• adminadmin

• administrator

• anything

• asddsa

• asdfgh

• asdsa

• asdzxc

• backup

• boss123

• business

• campus

• changeme

• cluster

• codename

• codeword

• coffee

• computer

• controller

• cookie

• customer

• database

• default

• desktop

• domain

• example

• exchange

• explorer

• files

• foobar

• foofoo

• forever

• freedom

• games

• home123

• ihavenopass

• Internet

• internet

• intranet

• killer

• letitbe

• letmein

• Login

• login

• lotus

• love123

• manager

• market

• money

• monitor

• mypass

• mypassword

• mypc123

• nimda

• nobody

• nopass

• nopassword

• nothing

• office

• oracle

• owner

• pass1

• pass12

• pass123

• passwd

• Password

• password

• password1

• password12

• password123

• private

• public

• pw123

• q1w2e3

• qazwsx

• qazwsxedc

• qqqqq

• qwe123

• qweasd

• qweasdzxc

• qweewq

• qwerty

• qwewq

• root123

• rootroot

• sample

• secret

• secure

• security

• server

• shadow

• share

• student

• super

• superuser

• supervisor

• system

• temp123

• temporary

• temptemp

• test123

• testtest

• unknown

• windows

• work123

• xxxxx

• zxccxz

• zxcvb

• zxcvbn

• zxcxz

• zzzzz


So if you have any one of the above password change it and choose some strong password.

Removal Tools For Conficker

Removal Tools For Conficker

Download the tools from following sites listed below for this virus removal:

F-Downadup
Specific tool with heuristics for Downadup worm variants:

ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip


FSMRT
Non-specific detection tool, larger file size:

ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip


Note: these are command line tools, please read the text file included in the ZIP for additional details.

Updates

These are beta tools. Use the following FTP location to determine the file dates:

ftp://ftp.f-secure.com/anti-virus/tools/beta/


Scanning Options

Downadup makes use of random extension names in order to avoid detection.

During disinfection scanning options should be set to:

• Scan all files

Upon execution, the Downadup (Kido, Conflicker) worm creates copies of itself in:

• %System%\[Random].dll

• %Program Files%\Internet Explorer\[Random].dll

• %Program Files%\Movie Maker\[Random].dll

• %All Users Application Data%\[Random].dll

• %Temp%\[Random].dll

• %System%\[Random].tmp

• %Temp%\[Random].tmp


* Note: [Random] represents a randomly generated name.

Each file's timestamp is amended to match the timestamp of the %System%\kernel32.dll file. The worm then creates autorun entries in the registry, which ensure that a copy of the worm is executed at every system startup.

The worm may create the following files on removable and mapped drives:

• %DriveLetter%\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\[...].[3 random characters]

• %DriveLetter%\autorun.inf


See the description for Worm:W32/Downaduprun.A for additional details on the autorun.inf file.

And attach itself to the following processes:

• svchost.exe

• explorer.exe

• services.exe

The worm disables a number of system features, in order to facilitate its activities. It disables the following Windows services:


• Windows Automatic Update Service (wuauserv)

• Background Intelligent Transfer Service (BITS)

• Windows Security Center Service (wscsvc)

• Windows Defender Service (WinDefend)

• Windows Error Reporting Service (ERSvc)

• Windows Error Reporting Service (WerSvc)


In addition to disabling these services, it checks to see whether it is running on a Windows Vista machine; if so, it also runs the following command to disable Windows Vista TCP/IP auto-tuning:


• netsh interface tcp set global autotuning=disabled


The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:


• DNS_Query_A

• DNS_Query_UTF8

• DNS_Query_W

• Query_Main

• sendto


If the user attempts to access the following, primarily security-related domains, their access is blocked:


• virus

• spyware

• malware

• rootkit

• defender

• microsoft

• symantec

• norton

• mcafee

• trendmicro

• sophos

• panda

• etrust

• networkassociates

• computerassociates

• f-secure

• kaspersky

• jotti

• f-prot

• nod32

• eset

• grisoft

• drweb

• centralcommand

• ahnlab

• esafe

• avast

• avira

• quickheal

• comodo

• clamav

• ewido

• fortinet

• gdata

• hacksoft

• hauri

• ikarus

• k7computing

• norman

• pctools

• prevx

• rising

• securecomputing

• sunbelt

• emsisoft

• arcabit

• cpsecure

• spamhaus

• castlecops

• threatexpert

• wilderssecurity

• windowsupdate

• nai

• ca

• avp

• avg

• vet

• bit9

• sans

• cert


Propagation

To propagate itself, the worm first modifies the following registry entry so that it can spread more rapidly across a network:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"TcpNumConnections" = dword:0x00FFFFFE


The worm uses this driver to speed up its propagation capability, as it modifies the number of half-open connections to a 0x10000000(268435456) in memory, a function implemented in %System%\drivers\tcpip.sys.

It checks for a suitable computer around the network using NetServerEnum, then attempts to log on to any found computer with one of the following login credentials:

• Using the existing credentials of the infected user account; if this account does not have admin privileges on the target machine, this operation will not succeed.

If the worm successfully accesses the network share, it will create a copy of itself to the "ADMIN$" share as the following:


• \\[Server Host Name]\ADMIN$\System32\[random filename].[random extension]


It then creates a scheduled daily job on the remote server, in order to execute the following command:


• rundll32.exe [random filename].[random extension], [random]


The worm is also able to propagate by downloading a copy of itself onto other machines vulnerable to an exploit of the critical MS08-067 vulnerability. To do so, the worm first connects to the following sites to retrieve the system's %ExternalIPAddress%:


• http://checkip.dyndns.org

• http://getmyip.co.uk

• http://www.getmyip.org

• http://www.whatsmyipaddress.com


Next, the worm creates a HTTP server on a random port:

• http://%ExternalIPAddress%:%RandomPort%


Creating the HTTP server allows the malware to send out specially crafted packets (exploit code) from the infected machine to other machines. If the exploit is successful, the targeted machine is forced to download a copy of the malware from the first infected machine.

The downloaded malware has one of the following extensions:

• bmp

• gif

• jpeg

• png


It then hooks NetpwPathCanonicalize API in order to avoid exploiting the vulnerability further.

Downloads

Downadup is capable of downloading files onto the infected system. First, the worm connects to one of the following domains to obtain the current system date:


• ask.com

• baidu.com

• google.com

• w3.org

• yahoo.com


The obtained system date is used to generate a list of domains where the malware can download additional files.

It then verifies whether the current date is at least 1 January 2009. If so, it downloads and execute files from:

• http://%PredictableDomainsIPAddress%/search?q=%d


Note: %PredictableDomainsIPAddress% is the domain generated based on the system date.

The downloaded file has the format:

• [random].tmp


Registry

The worm deletes a number of keys from the registry, in order to deactivate the Security Center Notifications and prevent Windows Defender from starting. It also bypasses the Windows Firewall by creating the following registry entry, so that the system can download a copy of the worm:

• HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List, [PortNumber]:TCP = "[PortNumber]:TCP:*Enabled:[random]"


To hide its presence in the system, the worm deletes any System Restore points created by the user, then modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%


During infection, the worm may create a temporary (TMP) file in the the System or Temp folders. The TMP file created is registered as a service kernel driver using the following registry entry:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]
Type = dword:00000001
Start = dword:00000003
ErrorControl = dword:00000000
ImagePath = "\...\%MalwarePath%\[random].tmp"
DisplayName = [Random]


Once the key is created, the file %MalwarePath%\[random].tmp is deleted.

An interesting change the worm makes to the registry involves the following registry entries:


• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
DisplayName = %ServiceName%
Type = dword:00000020
Start = dword:00000002
ErrorControl = dword:00000000
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Description = %description%

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]\Parameters
ServiceDll = %MalwarePath%